IS 3003 Ch 8: Securing Information Systems
Computer Crime/Fraud
"any violations of criminal law that involve knowledge of computer technology for their perpetration, investigation, or prosecution" [defined by U.S. Department of Justice] Commission of illegal acts through use of computer or against a computer system - computer may be the object (target) or the instrument of crime
Phishing -
A high tech scam in which an e-mail requests the update or confirmation of sensitive personal information by clicking a link to a fake web site e-mails that seem to come from legitimate sources direct e-mail recipients to false Web sites in order to capture private information
Password management applications -
Allow user to store username and password, along with other account details Application is itself protected by a single strong password, and can even require the presence of a file on a USB flash drive before the program will open Allows user to retrieve usernames and passwords without the need to remember or even type them Allows for very strong passwords
__________ defines acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet, and specifies consequences for noncompliance.
An acceptable use policy (AUP)
Hardware problems
Breakdowns, configuration errors, damage from improper use or crime, theft of devices
Variations of Phishing -
Evil Twins A type of phishing technique Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet to entice users to log on and reveal passwords or other personal information
HIPAA:
Medical security and privacy rules and procedures
Disasters
Power failures, flood, fires, others ...
Antivirus Software
Prevents, detects, and removes malware, including computer viruses, computer worms, Trojan horses, spyware, and adware. Must perform regular updates. (consider holistic protection)
Backup -
copies of critical systems and data, done on a regular basis
Ongoing use of metrics
facilitates measurement of system performance and problem identification
Identity Theft
- A crime in which an impostor obtains key pieces of personal information to impersonate someone else - The forging of someone's identity for the purpose of fraud - "total identity theft" .... - Identity Theft Resource Center
Computers as Targets of Crime
- Breaching the confidentiality of protected computerized data - Accessing computer system without authority - Knowingly accessing a protected computer to commit fraud. - Intentionally accessing a protected system and causing damage, negligently or deliberately - Knowingly transmitting a program, program code, or command that intentionally causes damage to a protected computer - Threatening to cause damage to a protected computer
Internet vulnerabilities
- Network open to anyone - Size of Internet means abuses can have wide impact - Use of fixed Internet addresses with permanent connections to Internet eases identification by hackers - E-mail attachments may contain malicious SW (viruses, etc.) - E-mail content may contain trade secrets, confidential information - IM messages, texts lack security, can be easily intercepted
Wireless security challenges
- Radio frequency bands easy to scan - Wi-Fi was designed to make it easy for stations to find and hear each other - SSIDs (service set identifiers) that identify the access points in a Wi-Fi network are broadcast multiple times and can be picked up easily
Computer as Instruments of Crime
- Theft of trade secrets - Unauthorized copying of software or copyrighted intellectual property, such as articles, books, music, and video - Schemes to defraud - Using e-mail for threats or harassment - Intentionally attempting to intercept electronic communications - Illegally accessing stored electronic communications, including e-mail and voice mail - Transmitting or possessing child pornography using a computer
Malicious SW -
- types of Malware - SW written with malicious intent to cause annoyance or damage to a computer system or network Viruses Worms Trojan Horse SQL injection attacks Ransomware Spyware Key loggers Sniffers Denial of Service Attacks Spoofing Phishing/Spear Phishing Evil Twins Pharming
Factors Driving the importance of security ...
1. Evolution from mainframe environment to today's interconnected, wireless, networked infrastructure 2. Trend toward smaller, faster, cheaper, portable computers and storage devices 3. Increased employee use of unmanaged devices 4. The computer skills necessary to be a hacker are decreasing ... 5. International organized crime is taking over cybercrime
What best describes a security policy?
A security policy consists of statements ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals.
Token (Security Token)
A small electronic device to change user passwords automatically Designed to prove the identity of a single user
Ransomware
A type of malware that tries to extort money from users by taking control of their computers or displaying annoying pop-up messages Ex. CryptoLocker - encrypts an infected computer's files, forcing users to pay to regain access Can get from downloading an infected attachment, clicking a link inside an e-mail, or by visiting the wrong web site
Spoofing -
A way to misrepresenting oneself by using a fake e-mail address, or masquerading as someone else Often involves forging the return address of an e-mail so that the message appears to come from someone other than the actual sender ... Attempting to gain access to a network or data by posing as an authorized user to find sensitive information May also involve redirecting a Web link to an address different from the intended one May be used in spam or phishing attempts
Acceptable Use Policy (AUP)
Acceptable uses of the firm's information resources and computing equipment, including desktop and laptop computers, wireless devices, telephones, and the Internet. Identifies acceptable and unacceptable practices for all users.
Antivirus and Antispyware software:
Check computers for presence of malware and can often eliminate it as well. Require continual updating
Firewall -
Combination of hardware and software that controls the flow of incoming and outgoing network traffic Acts as a filter or barrier between a private network and external computers or networks Network administrator defines rules for access Examines data passing into or out of a private network Decides whether to allow the transmission based on users' IDs, the transmission's origin and destination, and the transmission's contents
Password
Combination of numbers, characters, and symbols used to allow access to a system Length and complexity determine its vulnerability to discovery
Unified Threat Management Systems (UTM):
Combination of security tools including firewalls, intrusion detection systems, VPN's, web content filtering, and anti-spam SW
Fault-tolerant computer systems
Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service Ex. RAID, UPS, duplicate/backup HW Use special SW routines or self-checking logic built into their circuitry to detect HW failures and automatically switch to a backup device
Issues in choosing a biometric technique:
Cost Accuracy Perceived intrusiveness Effort required on part of user Cultural preferences/issues Context/environmental situation
Digital certificate:
Data file or electronic document used to establish the identity of users and electronic assets for protection of online transactions Uses a trusted third party, Certificate Authority (CA), to validate a user's identity The CA verifies user's identity, stores information on the CA server, which generates an encrypted digital certificate containing owner ID information and copy of owner's public key The digital certificate system enables a credit card user and a merchant to validate that their digital certificates were issued by a trusted CA before they exchange data
Acceptable use policy (AUP)
Defines acceptable uses of firm's information resources and computing equipment
Authorization policies
Determine differing levels of user access to information assets Incorporated in the firm's Identity Management Systems
Risk assessment
Determines level of risk to the firm if specific activity or process is not properly controlled Types of threats Probability of occurrence during year Potential losses, value of threat Expected annual loss
Use of networks and computers outside of firm's control
Domestic or offshore outsourcing vendors Growing use of portable devices
War driving
Eavesdroppers drive by buildings and try to intercept network traffic When hacker gains access to SSID, has access to network's resources
Electronic Evidence and Computer Forensics
Evidence for white collar crimes often found in digital form Data stored on computer devices, e-mail, instant messages, e-commerce transactions Proper control of data can save time, money when responding to legal discovery request
Information Systems audit
Examines firm's overall security environment as well as controls governing individual information systems Reviews technologies, procedures, documentation, training, and personnel May even simulate disaster to test response of technology, IS staff, other employees Lists and ranks all control weaknesses and estimates probability of their occurrence. Assesses financial and organizational impact of each threat
Business Value of Security and Control Measures
Failed computer systems can lead to significant or total loss of business function. Firms now more vulnerable than ever. A security breach may cut into firm's market value almost immediately. Inadequate security and controls also bring forth issues of liability
Legal and Regulatory Requirements for Electronic Records Management
Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection
Denial-of-Service Attack (DoS)
Floods a network server or web server with thousands of false service requests to crash the network Prevents legitimate users' access to the system
Business continuity planning:
Focuses on restoring business operations after Identify firm's most critical systems Business impact analysis to determine impact of an outage Management must determine which systems to restore first Determine action plans for handling mission- critical functions
Information systems controls are both manual and automated and consist of general and application controls. What best describes general controls?
General controls govern the design, security, and use of computer programs and the security of data files in general throughout the organization's information technology infrastructure.
General controls -
Govern design, security, and use of computer programs and security of data files in general throughout organization's information technology infrastructure. Apply to all computerized applications. Combination of hardware, software, and manual procedures to create an overall control environment
Commercial software contains flaws that create security vulnerabilities
Hidden bugs or program code defects Zero defects cannot be achieved because complete testing is not possible with large programs Flaws can open networks to intruders
Distributed denial-of-service (DDoS) attack
Hundreds or thousands of computers work together to bombard a Web site with thousands of requests for information in a short period Difficult to trace Zombie - a computer working under the control of an outside party Botnets - networks of "zombie" PC's infiltrated by bot malware (typically viruses and spyware)
Sarbanes-Oxley Act:
Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally
Two-step Authentication
In addition to username (ID) and password, a short, randomly generated verification code is sent to you via text or e-mail that you need to enter to allow access
Worms
Independent programs that copy themselves from one computer to others over a network Do not have to be attached to a host program Disrupt computer and network operations, slowing or halting system Destroy data and other programs
Security verification icons: SysTrust and WebTrust Seals
International set of principles and criteria for systems and e-commerce
Controls:
Methods, policies, and organizational procedures that ensure safety of organization's assets; accuracy and reliability of its accounting records; and operational adherence to management standards
Describe a scenario that illustrates a drive-by download
Milly copies a file from the Internet to her PC, and, in the process, her PC gets infected by malware.
Intrusion Detection Systems:
Monitor hot spots on corporate networks to detect and deter intruders. Examine events as they are happening to discover attacks in progress.
Software Metrics:
Objective assessments of a system in the form of quantified measurements, such as: Number of transactions processed per minute Online response time Payroll checks printed per hour Known bugs per hundred lines of code
Hackers ....
People very knowledgeable about computers who use their skills to gain unauthorized access to a computer system Black hat hackers ("crackers", criminal hackers) www.2600.com White hat hackers (ethical hackers) Script kiddies or script bunnies Hactivists Cyber terrorists
Variations of Phishing -
Pharming A type of phishing technique Redirects users to a bogus Web page, even when an individual types the correct Web page address into the browser
Identity Management, Authentication & Access Control
Policies and procedures to prevent improper access to systems by unauthorized insiders and outsiders To gain access a user must be authorized and authenticated
Security:
Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems The protection of information from accidental or intentional misuse by persons inside or outside the organization
Encryption:
Process of encoding messages before they enter the network & then decoding at the receiving end Transforming (encrypting) text or data, called "plaintext" or "cleartext" into "cipher text" that cannot be read by unintended recipients The data or text is then unscrambled, or decrypted at the receiving end Rules for encryption determine how simple or complex the transformation process should be - known as the "encryption algorithm"
Software problems
Programming errors, installation errors, unauthorized changes
What best describes public key encryption?
Public key encryption is a more secure form of encryption that uses two keys, one shared and one totally private. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key.
Security policy
Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals Drives other policies
Cognitive Password (aka security questions)
Requires a user to answer a question to verify their identity; commonly used as a form of secondary access Typical cognitive password questions: What is your mother's maiden name? What is your dog's name?
Gramm-Leach-Bliley Act:
Requires financial institutions to ensure the security and confidentiality of customer data
Viruses
Rogue software program that attaches itself to other software programs or data files in order to be executed When the program or operating system containing the virus is used, the virus attaches itself to other files and is spread
Trojan Horse
SW program that appears to be benign (okay) but then does something other than expected Contains code intended to disrupt a computer, network, or Web site Malicious code hides inside a popular program or a program that appears to be useful
Computer forensics:
Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law Includes recovery of ambient and hidden data
Guidelines for strong passwords ... Passphrase-
Series of characters that is longer than a password but is still easy to memorize Can serve as a password itself, or be used to create a strong password
Patches
Small pieces of software released by a SW vendor to repair flaws However, amount of software in use can mean exploits created faster than patches can be released & implemented
Terminal resource security
Software feature that erases the screen and signs the user off automatically after a specified length of inactivity
Application controls -
Specific controls unique to each computerized application, such as payroll or order processing; ensure that only authorized data are completely and accurately processed by that application Include input, processing and output controls
Why Increase In Attacks
Speed of attacks More sophisticated attacks Simplicity of attack tools Faster detection weaknesses Delays in user patching Distributed attacks Attacks exploit user ignorance & confusion
Identity Management Systems
Support the organization's Security and Authorization policies Include business processes and technologies for identifying valid users of systems Establish where and when a user is permitted to access certain parts of a Web site or corporate database Allow each user access only to those portions of system that person is permitted to enter, based on information established by set of access rules, profile
Biometrics -
Systems that read and interpret individual human traits to enhance security measures - are unique to a person and can't be stolen or lost; may be physical or behavioral
SQL injection attacks
Take advantage of vulnerabilities in poorly coded Web application SW to introduce malicious program code into a company's systems and networks Used to attack databases through a website by including portions of SQL commands in a web form input field in order to change the database content or dump the database content (passwords, credit card information, etc.) to the attacker Currently considered to be one of the top 10 web application vulnerabilities ... Some studies show that web applications experience, on, average, 71 attempts per hour! Some, even more!
Spyware
Technology that aids in gathering information about a person or organization without their knowledge SW that secretly gathers information about users while they browse the Web; can come hidden in free downloads; tracks online movements, mines the information stored on a computer, or uses the computer's CPU and storage for some task the user knows nothing about Can collect, transmit, or use, this information in several ways including: Sale of information to online marketers & spammers Illegal uses such as identity theft Modify user experience to market to the user by presenting ad banners, pop-ups, etc.
An individual posing as an online gamer accesses information stored in an unsuspecting user's computer by placing a program in his hard disk that appears to be legitimate. The system functions normally with the program performing underlying functions. The malware used by the individual is referred to as a(n) __________.
Trojan horse
Sniffer
Type of eavesdropping program that monitors information traveling over a network SW used to capture and record network traffic Common type is a "password sniffer" Can be used for legitimate purposes to help identify potential network trouble spots, monitor network performance, or to spot criminal activity But, often used by hackers to intercept information
Common types of Access Controls
User IDs, passwords, passphrases Cognitive Passwords Two-step Authentication Token (security token) Smart Card Biometrics Terminal Resource Security
Which is better?
Xp4!e% or thisisaverylongpassword Length always trumps complexity!
Click Farm -
a business that pays employees to click on website elements to artificially boost the status of a client's website or product
Smart Card
a device about the same size as a credit card, containing a chip formatted with access permission and other data - a reader device interprets the data on the card and allows or denies access
Spear phishing -
a more targeted form of phishing - messages appear to come from a trusted source, increasing the likelihood they will be opened
CAPTCHA
a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text, but current computer programs can't:
Cloud Computing Security -
accountability and responsibility for privacy and security reside with the Cloud user, although the Cloud provider is actually doing the hosting ...
Early and regular testing
contributes to system quality by checking the correctness of operations as well as identifying errors or bugs
Authorization -
determines what actions, rights, or privileges the user has, based on the verified identity
Disaster recovery planning:
devises plans for restoration of disrupted services
Information
is an organizational asset - it must be protected
Insiders -
legitimate users who purposely or accidentally misuse their access to information or resources and cause some kind of business-affecting event Employees, consultants, contract labor, maintenance staff, guards, etc. Access to inside knowledge/procedures Take advantage of sloppy security procedures User lack of knowledge/mistakes
Keyloggers -
monitor and record keystrokes & mouse clicks Can steal serial numbers for SW, launch Internet attacks, gain access to e-mail accounts, steal passwords, credit card info ... Can be used by companies to track employees' use of e-mail and the Internet Some antivirus and antispyware programs protect against software keyloggers
Security of Mobile Computing devices -
must be secured like other in-house, non-mobile resources against malware, theft, accidental loss, unauthorized access, and hacking attempts
Click fraud -
occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the advertiser or making a purchase
Computer criminals use denial-of-service attacks on information systems to __________.
prevent legitimate users from using the system's resources
Online transaction processing
requires 100 percent availability, no downtime.
Hot site -
separate & fully equipped facility where the firm can move immediately after a disaster and resume business
Cold site -
separate facility without any computer equipment but is a place employees can move after a disaster - provides a shell to get started - "computer ready"
Controlling network traffic Deep packet inspection (DPI)
sorts out low-priority online material (music and video downloads) while assigning a higher priority to business-critical files and data; less important traffic can be blocked or delayed
Authentication -
the ability to know that a person is who he or she claims to be; a method of confirming users' identities
WEP -
the initial security standard for Wi-Fi is relatively easy to crack ... WPA2 is better... Can use something like Hotspot Shield to create a VPN to create a safer way to browse...
Security outsourcing -
using managed security service providers (MSSPs)
